diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if --- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-10-21 09:59:22.539973347 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-10-21 09:59:23.104972871 -0400 @@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',` role $2 types useradd_t; # Add/remove user home directories - userdom_manage_home_role($2, useradd_t) + userdom_manage_home_role($2) seutil_run_semanage(useradd_t, $2) diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te --- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-10-21 09:59:22.999972958 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-21 09:59:23.105972870 -0400 @@ -517,7 +517,7 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_home_role(system_r, useradd_t) +userdom_manage_home(useradd_t) mta_manage_spool(useradd_t) diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if --- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-10-21 09:59:23.031972932 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-21 09:59:23.105972870 -0400 @@ -57,8 +57,6 @@ template(`execmem_role_template',` role $2 types $1_execmem_t; userdom_unpriv_usertype($1, $1_execmem_t) - userdom_manage_tmp_role($2, $1_execmem_t) - userdom_manage_tmpfs_role($2, $1_execmem_t) allow $1_execmem_t self:process { execmem execstack }; allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if --- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-10-21 09:59:22.557973331 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-21 09:59:23.106972869 -0400 @@ -73,7 +73,8 @@ template(`java_role_template',` domain_interactive_fd($1_java_t) userdom_unpriv_usertype($1, $1_java_t) - userdom_manage_tmpfs_role($2, $1_java_t) + userdom_manage_tmpfs_role($2) + userdom_manage_tmpfs($1_java_t) allow $1_java_t self:process { ptrace signal getsched execmem execstack }; diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if --- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-10-21 09:59:22.562973328 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-21 09:59:23.107972868 -0400 @@ -49,7 +49,8 @@ template(`mono_role_template',` corecmd_bin_domtrans($1_mono_t, $1_t) userdom_unpriv_usertype($1, $1_mono_t) - userdom_manage_tmpfs_role($2, $1_mono_t) + userdom_manage_tmpfs_role($2) + userdom_manage_tmpfs($1_mono_t) optional_policy(` xserver_role($1_r, $1_mono_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if --- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-10-21 09:59:22.564973326 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-21 09:59:23.107972868 -0400 @@ -51,7 +51,7 @@ interface(`mozilla_role',` mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) - userdom_manage_tmp_role($1, mozilla_t) + userdom_manage_tmp_role($1) optional_policy(` nsplugin_role($1, mozilla_t) diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-10-21 09:59:22.568973322 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-21 09:59:23.108972867 -0400 @@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', ` userdom_use_inherited_user_terminals(nsplugin_t) userdom_use_inherited_user_terminals(nsplugin_config_t) userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) - userdom_manage_tmpfs_role($1, nsplugin_t) + userdom_manage_tmpfs_role($1) optional_policy(` pulseaudio_role($1, nsplugin_t) diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-10-21 09:59:22.569973321 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-21 09:59:23.109972866 -0400 @@ -281,6 +281,7 @@ userdom_search_user_home_content(nsplugi userdom_read_user_home_content_symlinks(nsplugin_config_t) userdom_read_user_home_content_files(nsplugin_config_t) userdom_dontaudit_search_admin_dir(nsplugin_config_t) +userdom_manage_tmpfs(nsplugin_t) tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(nsplugin_t) diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if --- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-10-21 09:59:22.571973319 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-10-21 09:59:23.109972866 -0400 @@ -35,9 +35,9 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; - userdom_manage_home_role($1, pulseaudio_t) - userdom_manage_tmp_role($1, pulseaudio_t) - userdom_manage_tmpfs_role($1, pulseaudio_t) + userdom_manage_home_role($1) + userdom_manage_tmp_role($1) + userdom_manage_tmpfs_role($1) allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te --- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-10-21 09:59:22.572973318 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-10-21 09:59:23.110972865 -0400 @@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) +userdom_manage_home(pulseaudio_t) +userdom_manage_tmp(pulseaudio_t) +userdom_manage_tmpfs(pulseaudio_t) + optional_policy(` alsa_read_rw_config(pulseaudio_t) ') diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if --- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-10-21 09:59:22.585973308 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-10-21 09:59:23.111972864 -0400 @@ -294,7 +294,7 @@ template(`userhelper_console_role_templa auth_use_pam($1_consolehelper_t) - userdom_manage_tmpfs_role($2, $1_consolehelper_t) + userdom_manage_tmpfs_role($2) optional_policy(` dbus_connect_session_bus($1_consolehelper_t) diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te --- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-10-21 09:59:22.586973307 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-10-21 09:59:23.111972864 -0400 @@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain) userdom_use_user_ptys(consolehelper_domain) userdom_use_user_ttys(consolehelper_domain) userdom_read_user_home_content_files(consolehelper_domain) +userdom_manage_tmpfs(consolehelper_domain) optional_policy(` gnome_read_gconf_home_files(consolehelper_domain) diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if --- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-10-21 09:59:22.590973303 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-21 09:59:23.112972863 -0400 @@ -105,7 +105,8 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_tmpfs_role($2, $1_wine_t) + userdom_manage_tmpfs_role($2) + userdom_manage_tmpfs($1_wine_t) domain_mmap_low($1_wine_t) diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if --- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-10-21 09:59:22.592973302 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-10-21 09:59:23.113972862 -0400 @@ -77,9 +77,13 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) - userdom_manage_home_role($2, $1_wm_t) - userdom_manage_tmpfs_role($2, $1_wm_t) - userdom_manage_tmp_role($2, $1_wm_t) + userdom_manage_home_role($2) + userdom_manage_home($1_wm_t) + userdom_manage_tmpfs_role($2) + userdom_manage_tmpfs($1_wm_t) + userdom_manage_tmp_role($2) + userdom_manage_tmp($1_wm_t) + userdom_exec_user_tmp_files($1_wm_t) optional_policy(` diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te --- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-10-21 09:59:23.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-21 10:00:11.291932414 -0400 @@ -61,7 +61,8 @@ sysnet_filetrans_named_content(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) -userdom_manage_tmp_role(sysadm_r, sysadm_t) +userdom_manage_tmp_role(sysadm_r) +userdom_manage_tmp(sysadm_t) optional_policy(` alsa_filetrans_named_content(sysadm_t) diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te --- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-10-21 09:59:23.035972928 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-10-21 09:59:23.114972861 -0400 @@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true) # calls is not correct, however we dont currently # have another method to add access to these types userdom_base_user_template(unconfined) -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +userdom_manage_home_role(unconfined_r) +userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file sock_file fifo_file }) +userdom_manage_tmp_role(unconfined_r) +userdom_manage_tmp(unconfined_t) +userdom_manage_tmpfs_role(unconfined_r) +userdom_manage_tmpfs(unconfined_t) userdom_unpriv_usertype(unconfined, unconfined_t) type unconfined_exec_t; diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te --- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-10-21 09:59:22.860973076 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-10-21 09:59:23.115972861 -0400 @@ -66,7 +66,7 @@ seutil_read_config(rshd_t) seutil_read_default_contexts(rshd_t) userdom_search_user_home_content(rshd_t) -userdom_manage_tmp_role(system_r, rshd_t) +userdom_manage_tmp(rshd_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if --- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-10-21 09:59:22.884973056 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-21 09:59:23.116972861 -0400 @@ -380,7 +380,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) - userdom_manage_tmp_role($2, ssh_t) + userdom_manage_tmp(ssh_t) ############################## # diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te --- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-10-21 09:59:22.885973055 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-10-21 09:59:23.117972860 -0400 @@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t) userdom_write_user_tmp_files(ssh_t) userdom_read_user_home_content_symlinks(ssh_t) userdom_read_home_certs(ssh_t) +userdom_manage_tmp(ssh_t) tunable_policy(`allow_ssh_keysign',` domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets( userdom_read_user_home_content_files(sshd_t) userdom_read_user_home_content_symlinks(sshd_t) -userdom_manage_tmp_role(system_r, sshd_t) +userdom_manage_tmp(sshd_t) userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) userdom_dyntransition_unpriv_users(sshd_t) diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te --- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-10-21 09:59:22.887973053 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-10-21 09:59:23.117972860 -0400 @@ -93,7 +93,7 @@ miscfiles_read_generic_certs(sssd_t) sysnet_dns_name_resolve(sssd_t) sysnet_use_ldap(sssd_t) -userdom_manage_tmp_role(system_r, sssd_t) +userdom_manage_tmp(sssd_t) optional_policy(` dbus_system_bus_client(sssd_t) diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te --- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-10-21 09:59:23.042972923 -0400 +++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-21 09:59:23.119972858 -0400 @@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_files(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) -userdom_manage_tmpfs_role(system_r, xdm_t) +userdom_manage_tmpfs(xdm_t) application_signal(xdm_t) diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if --- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-10-21 09:59:23.046972919 -0400 +++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-21 09:59:23.121972856 -0400 @@ -35,21 +35,14 @@ template(`userdom_base_user_template',` type $1_t, userdomain, $1_usertype; domain_type($1_t) role $1_r; - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) role $1_r types $1_t; allow system_r $1_r; - term_user_pty($1_t, user_devpts_t) - - term_user_tty($1_t, user_tty_device_t) - term_dontaudit_getattr_generic_ptys($1_t) - allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; allow $1_usertype $1_usertype:fd use; - allow $1_usertype $1_t:key { create view read write search link setattr }; + allow $1_usertype $1_usertype:key { create view read write search link setattr }; allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; @@ -61,114 +54,7 @@ template(`userdom_base_user_template',` allow $1_usertype $1_usertype:context contains; dontaudit $1_usertype $1_usertype:socket create; - allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_usertype, user_devpts_t) - # avoid annoying messages on terminal hangup on role change - dontaudit $1_usertype user_devpts_t:chr_file ioctl; - - allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; - # avoid annoying messages on terminal hangup on role change - dontaudit $1_usertype user_tty_device_t:chr_file ioctl; - - application_exec_all($1_usertype) - - kernel_read_kernel_sysctls($1_usertype) - kernel_read_all_sysctls($1_usertype) - kernel_dontaudit_list_unlabeled($1_usertype) - kernel_dontaudit_getattr_unlabeled_files($1_usertype) - kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) - kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) - kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) - kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) - kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) - kernel_dontaudit_list_proc($1_usertype) - - dev_dontaudit_getattr_all_blk_files($1_usertype) - dev_dontaudit_getattr_all_chr_files($1_usertype) - dev_getattr_mtrr_dev($1_t) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_usertype) - domain_dontaudit_getattr_all_domains($1_usertype) - domain_dontaudit_getsession_all_domains($1_usertype) - dev_dontaudit_all_access_check($1_usertype) - - files_read_etc_files($1_usertype) - files_list_mnt($1_usertype) - files_list_var($1_usertype) - files_read_mnt_files($1_usertype) - files_dontaudit_access_check_mnt($1_usertype) - files_read_etc_runtime_files($1_usertype) - files_read_usr_files($1_usertype) - files_read_usr_src_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. - files_list_world_readable($1_usertype) - files_read_world_readable_files($1_usertype) - files_read_world_readable_symlinks($1_usertype) - files_read_world_readable_pipes($1_usertype) - files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): - files_dontaudit_getattr_all_dirs($1_usertype) - files_dontaudit_list_non_security($1_usertype) - files_dontaudit_getattr_all_files($1_usertype) - files_dontaudit_getattr_non_security_symlinks($1_usertype) - files_dontaudit_getattr_non_security_pipes($1_usertype) - files_dontaudit_getattr_non_security_sockets($1_usertype) - files_dontaudit_setattr_etc_runtime_files($1_usertype) - - files_exec_usr_files($1_t) - - fs_list_cgroup_dirs($1_usertype) - fs_dontaudit_rw_cgroup_files($1_usertype) - - storage_rw_fuse($1_usertype) - auth_use_nsswitch($1_t) - - init_stream_connect($1_usertype) - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_usertype) - - libs_exec_ld_so($1_usertype) - - logging_send_audit_msgs($1_t) - - miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) - - miscfiles_read_all_certs($1_usertype) - miscfiles_read_localization($1_usertype) - miscfiles_read_man_pages($1_usertype) - miscfiles_read_public_files($1_usertype) - - systemd_dbus_chat_logind($1_usertype) - - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') - - tunable_policy(`allow_execmem && allow_execstack',` - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') - - optional_policy(` - abrt_stream_connect($1_usertype) - ') - - optional_policy(` - fs_list_cgroup_dirs($1_usertype) - ') - - optional_policy(` - ssh_rw_stream_sockets($1_usertype) - ssh_delete_tmp($1_t) - ssh_signal($1_t) - ') ') ####################################### @@ -242,6 +128,22 @@ interface(`userdom_ro_home_role',` ## The user role ## ## +## +# +interface(`userdom_manage_home_role',` + gen_require(` + type user_home_dir_t; + attribute user_home_type; + ') + + role $1 types { user_home_type user_home_dir_t }; +') + +####################################### +## +## Allow a home directory for which the +## role has full access. +## ## ## ## The user domain @@ -249,61 +151,58 @@ interface(`userdom_ro_home_role',` ## ## # -interface(`userdom_manage_home_role',` +interface(`userdom_manage_home',` gen_require(` type user_home_t, user_home_dir_t; attribute user_home_type; ') - role $1 types { user_home_type user_home_dir_t }; - ############################## # # Domain access to home dir # - - type_member $2 user_home_dir_t:dir user_home_dir_t; + type_member $1 user_home_dir_t:dir user_home_dir_t; # full control of the home directory - allow $2 user_home_t:dir mounton; - allow $2 user_home_t:file entrypoint; + allow $1 user_home_t:dir mounton; + allow $1 user_home_t:file entrypoint; - allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; - allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; - manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) - files_list_home($2) + allow $1 user_home_type:dir_file_class_set { relabelto relabelfrom }; + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + relabel_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + relabel_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + relabel_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + files_list_home($1) # cjp: this should probably be removed: - allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + allow $1 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` - fs_mount_nfs($2) - fs_mounton_nfs($2) - fs_manage_nfs_dirs($2) - fs_manage_nfs_files($2) - fs_manage_nfs_symlinks($2) - fs_manage_nfs_named_sockets($2) - fs_manage_nfs_named_pipes($2) + fs_mount_nfs($1) + fs_mounton_nfs($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + fs_manage_nfs_named_sockets($1) + fs_manage_nfs_named_pipes($1) ') tunable_policy(`use_samba_home_dirs',` - fs_mount_cifs($2) - fs_mounton_cifs($2) - fs_manage_cifs_dirs($2) - fs_manage_cifs_files($2) - fs_manage_cifs_symlinks($2) - fs_manage_cifs_named_sockets($2) - fs_manage_cifs_named_pipes($2) + fs_mount_cifs($1) + fs_mounton_cifs($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + fs_manage_cifs_symlinks($1) + fs_manage_cifs_named_sockets($1) + fs_manage_cifs_named_pipes($1) ') ') @@ -316,6 +215,21 @@ interface(`userdom_manage_home_role',` ## Role allowed access. ## ## +## +# +interface(`userdom_manage_tmp_role',` + gen_require(` + attribute user_tmp_type; + type user_tmp_t; + ') + + role $1 types user_tmp_t; +') + +####################################### +## +## Manage user temporary files +## ## ## ## Domain allowed access. @@ -323,27 +237,25 @@ interface(`userdom_manage_home_role',` ## ## # -interface(`userdom_manage_tmp_role',` +interface(`userdom_manage_tmp',` gen_require(` attribute user_tmp_type; type user_tmp_t; ') - role $1 types user_tmp_t; - - files_poly_member_tmp($2, user_tmp_t) + files_poly_member_tmp($1, user_tmp_t) - manage_dirs_pattern($2, user_tmp_type, user_tmp_type) - manage_files_pattern($2, user_tmp_type, user_tmp_type) - manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) - manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) - manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) - relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) - relabel_files_pattern($2, user_tmp_type, user_tmp_type) - relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) - relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) - relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) + manage_dirs_pattern($1, user_tmp_type, user_tmp_type) + manage_files_pattern($1, user_tmp_type, user_tmp_type) + manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) + manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) + manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) + files_tmp_filetrans($1, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_dirs_pattern($1, user_tmp_type, user_tmp_type) + relabel_files_pattern($1, user_tmp_type, user_tmp_type) + relabel_lnk_files_pattern($1, user_tmp_type, user_tmp_type) + relabel_sock_files_pattern($1, user_tmp_type, user_tmp_type) + relabel_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ') ####################################### @@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files', ## Role allowed access. ## ## +## +# +interface(`userdom_manage_tmpfs_role',` + gen_require(` + attribute user_tmpfs_type; + type user_tmpfs_t; + ') + + role $1 types user_tmpfs_t; +') + +####################################### +## +## Allow access for the user tmpfs type +## ## ## ## Domain allowed access. @@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files', ## ## # -interface(`userdom_manage_tmpfs_role',` +interface(`userdom_manage_tmpfs',` gen_require(` attribute user_tmpfs_type; type user_tmpfs_t; ') - role $1 types user_tmpfs_t; - - manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) + manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) + manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + relabel_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) + relabel_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + relabel_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + relabel_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) + relabel_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ') ####################################### @@ -578,260 +503,31 @@ template(`userdom_change_password_templa template(`userdom_common_user_template',` gen_require(` attribute unpriv_userdomain; + attribute common_userdomain; ') - userdom_basic_networking($1_usertype) - - ############################## - # - # User domain Local policy - # - - # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_t self:socket create_socket_perms; - - allow $1_usertype unpriv_userdomain:fd use; - - kernel_read_system_state($1_usertype) - kernel_read_network_state($1_usertype) - kernel_read_software_raid_state($1_usertype) - kernel_read_net_sysctls($1_usertype) - # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_usertype) - # Find CDROM devices: - kernel_read_device_sysctls($1_usertype) - kernel_request_load_module($1_usertype) - - corenet_udp_bind_generic_node($1_usertype) - corenet_udp_bind_generic_port($1_usertype) - - dev_read_rand($1_usertype) - dev_write_sound($1_usertype) - dev_read_sound($1_usertype) - dev_read_sound_mixer($1_usertype) - dev_write_sound_mixer($1_usertype) - - files_exec_etc_files($1_usertype) - files_search_locks($1_usertype) - # Check to see if cdrom is mounted - files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: - files_read_var_files($1_usertype) - files_read_var_symlinks($1_usertype) - files_read_generic_spool($1_usertype) - files_read_var_lib_files($1_usertype) - # Stat lost+found. - files_getattr_lost_found_dirs($1_usertype) - files_read_config_files($1_usertype) - fs_read_noxattr_fs_files($1_usertype) - fs_read_noxattr_fs_symlinks($1_usertype) - fs_rw_cgroup_files($1_usertype) - - application_getattr_socket($1_usertype) - - logging_send_syslog_msg($1_usertype) - logging_send_audit_msgs($1_usertype) - selinux_get_enforce_mode($1_usertype) - - # cjp: some of this probably can be removed - selinux_get_fs_mount($1_usertype) - selinux_validate_context($1_usertype) - selinux_compute_access_vector($1_usertype) - selinux_compute_create_context($1_usertype) - selinux_compute_relabel_context($1_usertype) - selinux_compute_user_contexts($1_usertype) - - # for eject - storage_getattr_fixed_disk_dev($1_usertype) + typeattribute $1_t common_userdomain; - auth_read_login_records($1_usertype) - auth_run_pam($1_t,$1_r) - auth_run_utempter($1_t,$1_r) + userdom_basic_networking(common_userdomain) - init_read_utmp($1_usertype) - - seutil_read_file_contexts($1_usertype) - seutil_read_default_contexts($1_usertype) - seutil_run_newrole($1_t,$1_r) - seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - - tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_usertype) - ') - - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_ttys($1_t) - ') - - optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_usertype) - ') - - optional_policy(` - canna_stream_connect($1_usertype) - ') - - optional_policy(` - chrome_role($1_r, $1_usertype) - ') - - optional_policy(` - colord_read_lib_files($1_usertype) - ') - - optional_policy(` - dbus_system_bus_client($1_usertype) - - allow $1_usertype $1_usertype:dbus send_msg; - - optional_policy(` - avahi_dbus_chat($1_usertype) - ') - - optional_policy(` - policykit_dbus_chat($1_usertype) - ') - - optional_policy(` - bluetooth_dbus_chat($1_usertype) - ') - - optional_policy(` - consolekit_dbus_chat($1_usertype) - consolekit_read_log($1_usertype) - ') - - optional_policy(` - devicekit_dbus_chat($1_usertype) - devicekit_dbus_chat_power($1_usertype) - devicekit_dbus_chat_disk($1_usertype) - ') - - optional_policy(` - evolution_dbus_chat($1_usertype) - evolution_alarm_dbus_chat($1_usertype) - ') - - optional_policy(` - gnome_dbus_chat_gconfdefault($1_usertype) - ') - - optional_policy(` - hal_dbus_chat($1_usertype) - ') - - optional_policy(` - kde_dbus_chat_backlighthelper($1_usertype) - ') - - optional_policy(` - modemmanager_dbus_chat($1_usertype) - ') - - optional_policy(` - networkmanager_dbus_chat($1_usertype) - networkmanager_read_lib_files($1_usertype) - ') - - optional_policy(` - vpn_dbus_chat($1_usertype) - ') - ') - - optional_policy(` - git_session_role($1_r, $1_usertype) - ') - - optional_policy(` - inetd_use_fds($1_usertype) - inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` - inn_read_config($1_usertype) - inn_read_news_lib($1_usertype) - inn_read_news_spool($1_usertype) - ') - - optional_policy(` - lircd_stream_connect($1_usertype) - ') - - optional_policy(` - locate_read_lib_files($1_usertype) - ') - - # for running depmod as part of the kernel packaging process - optional_policy(` - modutils_read_module_config($1_usertype) - ') - - optional_policy(` - mta_rw_spool($1_usertype) - mta_manage_queue($1_usertype) - mta_filetrans_home_content($1_usertype) - ') - - optional_policy(` - nsplugin_role($1_r, $1_usertype) - ') - - optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') - ') - - optional_policy(` - oident_manage_user_content($1_t) - oident_relabel_user_content($1_t) - ') - - optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_usertype) - ') - - optional_policy(` - pcscd_read_pub_files($1_usertype) - pcscd_stream_connect($1_usertype) - ') - - optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_usertype) - postgresql_tcp_connect($1_usertype) - ') - ') - - optional_policy(` - resmgr_stream_connect($1_usertype) - ') + auth_run_pam(common_userdomain,$1_r) + auth_run_utempter(common_userdomain,$1_r) + seutil_run_newrole(common_userdomain,$1_r) optional_policy(` - rpc_dontaudit_getattr_exports($1_usertype) - rpc_manage_nfs_rw_content($1_usertype) + chrome_role($1_r, common_userdomain) ') optional_policy(` - rpcbind_stream_connect($1_usertype) + git_session_role($1_r, common_userdomain) ') optional_policy(` - samba_stream_connect_winbind($1_usertype) + nsplugin_role($1_r, common_userdomain) ') optional_policy(` - sandbox_transition($1_usertype, $1_r) + sandbox_transition(common_userdomain, $1_r) ') optional_policy(` @@ -839,11 +535,7 @@ template(`userdom_common_user_template', ') optional_policy(` - slrnpull_search_spool($1_usertype) - ') - - optional_policy(` - thumb_role($1_r, $1_usertype) + thumb_role($1_r, common_userdomain) ') ') @@ -872,10 +564,9 @@ template(`userdom_login_user_template', userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_usertype) - - userdom_manage_tmp_role($1_r, $1_usertype) - userdom_manage_tmpfs_role($1_r, $1_usertype) + userdom_manage_home_role($1_r) + userdom_manage_tmp_role($1_r) + userdom_manage_tmpfs_role($1_r) ifelse(`$1',`unconfined',`',` gen_tunable(allow_$1_exec_content, true) @@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) - allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; - dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; - ############################## # # Local policy @@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',` auth_use_nsswitch($2) ubac_constrained($2) + + userdom_manage_home_role($1_r) + userdom_manage_tmp_role($1_r) + userdom_manage_tmpfs_role($1_r) ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te --- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-10-21 09:59:22.972972981 -0400 +++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-10-21 10:04:03.330742358 -0400 @@ -69,6 +69,8 @@ attribute userdomain; # unprivileged user domains attribute unpriv_userdomain; +# common user domains +attribute common_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; @@ -141,22 +143,147 @@ miscfiles_cert_type(home_cert_t) userdom_user_home_content(home_cert_t) ubac_constrained(home_cert_t) -tunable_policy(`allow_console_login',` - term_use_console(userdomain) -') - -allow userdomain userdomain:process signull; +allow unpriv_userdomain self:netlink_kobject_uevent_socket create_socket_perms; +dontaudit unpriv_userdomain self:netlink_audit_socket create_socket_perms; # Nautilus causes this avc dontaudit unpriv_userdomain self:dir setattr; allow unpriv_userdomain self:key manage_key_perms; +userdom_manage_home(unpriv_userdomain) +userdom_manage_tmp(unpriv_userdomain) +userdom_manage_tmpfs(unpriv_userdomain) + optional_policy(` alsa_read_rw_config(unpriv_userdomain) alsa_manage_home_files(unpriv_userdomain) alsa_relabel_home_files(unpriv_userdomain) ') + +############################## +# +# User domain Local policy +# +allow userdomain userdomain:process signull; + +allow userdomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; +term_create_pty(userdomain, user_devpts_t) +# avoid annoying messages on terminal hangup on role change +dontaudit userdomain user_devpts_t:chr_file ioctl; + +allow userdomain user_tty_device_t:chr_file { setattr rw_chr_file_perms }; +# avoid annoying messages on terminal hangup on role change +dontaudit userdomain user_tty_device_t:chr_file ioctl; + +corecmd_shell_entry_type(userdomain) +corecmd_bin_entry_type(userdomain) + +term_user_pty(userdomain, user_devpts_t) + +term_user_tty(userdomain, user_tty_device_t) +term_dontaudit_getattr_generic_ptys(userdomain) + +application_exec_all(userdomain) + +kernel_read_kernel_sysctls(userdomain) +kernel_read_all_sysctls(userdomain) +kernel_dontaudit_list_unlabeled(userdomain) +kernel_dontaudit_getattr_unlabeled_files(userdomain) +kernel_dontaudit_getattr_unlabeled_symlinks(userdomain) +kernel_dontaudit_getattr_unlabeled_pipes(userdomain) +kernel_dontaudit_getattr_unlabeled_sockets(userdomain) +kernel_dontaudit_getattr_unlabeled_blk_files(userdomain) +kernel_dontaudit_getattr_unlabeled_chr_files(userdomain) +kernel_dontaudit_list_proc(userdomain) + +dev_dontaudit_getattr_all_blk_files(userdomain) +dev_dontaudit_getattr_all_chr_files(userdomain) +dev_getattr_mtrr_dev(userdomain) + +# When the user domain runs ps, there will be a number of access +# denials when ps tries to search /proc. Do not audit these denials. +domain_dontaudit_read_all_domains_state(userdomain) +domain_dontaudit_getattr_all_domains(userdomain) +domain_dontaudit_getsession_all_domains(userdomain) +dev_dontaudit_all_access_check(userdomain) + +files_read_etc_files(userdomain) +files_list_mnt(userdomain) +files_list_var(userdomain) +files_read_mnt_files(userdomain) +files_dontaudit_access_check_mnt(userdomain) +files_read_etc_runtime_files(userdomain) +files_read_usr_files(userdomain) +files_read_usr_src_files(userdomain) +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +files_list_world_readable(userdomain) +files_read_world_readable_files(userdomain) +files_read_world_readable_symlinks(userdomain) +files_read_world_readable_pipes(userdomain) +files_read_world_readable_sockets(userdomain) +# old broswer_domain(): +files_dontaudit_getattr_all_dirs(userdomain) +files_dontaudit_list_non_security(userdomain) +files_dontaudit_getattr_all_files(userdomain) +files_dontaudit_getattr_non_security_symlinks(userdomain) +files_dontaudit_getattr_non_security_pipes(userdomain) +files_dontaudit_getattr_non_security_sockets(userdomain) +files_dontaudit_setattr_etc_runtime_files(userdomain) + +files_exec_usr_files(userdomain) + +fs_list_cgroup_dirs(userdomain) +fs_dontaudit_rw_cgroup_files(userdomain) + +storage_rw_fuse(userdomain) + +init_stream_connect(userdomain) +# The library functions always try to open read-write first, +# then fall back to read-only if it fails. +init_dontaudit_rw_utmp(userdomain) +libs_exec_ld_so(userdomain) +logging_send_audit_msgs(userdomain) + +miscfiles_read_localization(userdomain) +miscfiles_read_generic_certs(userdomain) + +miscfiles_read_all_certs(userdomain) +miscfiles_read_localization(userdomain) +miscfiles_read_man_pages(userdomain) +miscfiles_read_public_files(userdomain) + +systemd_dbus_chat_logind(userdomain) + +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') + +tunable_policy(`allow_execmem',` + # Allow loading DSOs that require executable stack. + allow userdomain self:process execmem; +') + +tunable_policy(`allow_execmem && allow_execstack',` + # Allow making the stack executable via mprotect. + allow userdomain self:process execstack; +') + +optional_policy(` + abrt_stream_connect(userdomain) +') + +optional_policy(` + fs_list_cgroup_dirs(userdomain) +') + +optional_policy(` + ssh_rw_stream_sockets(userdomain) + ssh_delete_tmp(userdomain) + ssh_signal(userdomain) +') + optional_policy(` gnome_filetrans_home_content(userdomain) ') @@ -172,3 +299,240 @@ optional_policy(` optional_policy(` xserver_filetrans_home_content(userdomain) ') + +############################## +# +# Common User domain Local policy +# + +# evolution and gnome-session try to create a netlink socket +dontaudit common_userdomain self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; +dontaudit common_userdomain self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; +allow common_userdomain self:netlink_kobject_uevent_socket create_socket_perms; +allow common_userdomain self:socket create_socket_perms; + +allow common_userdomain unpriv_userdomain:fd use; + +kernel_read_system_state(common_userdomain) +kernel_read_network_state(common_userdomain) +kernel_read_software_raid_state(common_userdomain) +kernel_read_net_sysctls(common_userdomain) +# Very permissive allowing every domain to see every type: +kernel_get_sysvipc_info(common_userdomain) +# Find CDROM devices: +kernel_read_device_sysctls(common_userdomain) +kernel_request_load_module(common_userdomain) + +corenet_udp_bind_generic_node(common_userdomain) +corenet_udp_bind_generic_port(common_userdomain) + +dev_read_rand(common_userdomain) +dev_write_sound(common_userdomain) +dev_read_sound(common_userdomain) +dev_read_sound_mixer(common_userdomain) +dev_write_sound_mixer(common_userdomain) + +files_exec_etc_files(common_userdomain) +files_search_locks(common_userdomain) +# Check to see if cdrom is mounted +files_search_mnt(common_userdomain) +# cjp: perhaps should cut back on file reads: +files_read_var_files(common_userdomain) +files_read_var_symlinks(common_userdomain) +files_read_generic_spool(common_userdomain) +files_read_var_lib_files(common_userdomain) +# Stat lost+found. +files_getattr_lost_found_dirs(common_userdomain) +files_read_config_files(common_userdomain) +fs_read_noxattr_fs_files(common_userdomain) +fs_read_noxattr_fs_symlinks(common_userdomain) +fs_rw_cgroup_files(common_userdomain) + +application_getattr_socket(common_userdomain) + +logging_send_syslog_msg(common_userdomain) +logging_send_audit_msgs(common_userdomain) +selinux_get_enforce_mode(common_userdomain) + +# cjp: some of this probably can be removed +selinux_get_fs_mount(common_userdomain) +selinux_validate_context(common_userdomain) +selinux_compute_access_vector(common_userdomain) +selinux_compute_create_context(common_userdomain) +selinux_compute_relabel_context(common_userdomain) +selinux_compute_user_contexts(common_userdomain) + +# for eject +storage_getattr_fixed_disk_dev(common_userdomain) + +auth_read_login_records(common_userdomain) + +init_read_utmp(common_userdomain) + +seutil_read_file_contexts(common_userdomain) +seutil_read_default_contexts(common_userdomain) +seutil_exec_checkpolicy(common_userdomain) +seutil_exec_setfiles(common_userdomain) +# for when the network connection is killed +# this is needed when a login role can change +# to this one. +seutil_dontaudit_signal_newrole(common_userdomain) + +tunable_policy(`user_direct_mouse',` + dev_read_mouse(common_userdomain) +') + +tunable_policy(`user_ttyfile_stat',` + term_getattr_all_ttys(common_userdomain) +') + +optional_policy(` + # Allow graphical boot to check battery lifespan + apm_stream_connect(common_userdomain) +') + +optional_policy(` + canna_stream_connect(common_userdomain) +') + +optional_policy(` + colord_read_lib_files(common_userdomain) +') + +optional_policy(` + dbus_system_bus_client(common_userdomain) + + allow common_userdomain common_userdomain:dbus send_msg; + + optional_policy(` + avahi_dbus_chat(common_userdomain) + ') + + optional_policy(` + policykit_dbus_chat(common_userdomain) + ') + + optional_policy(` + bluetooth_dbus_chat(common_userdomain) + ') + + optional_policy(` + consolekit_dbus_chat(common_userdomain) + consolekit_read_log(common_userdomain) + ') + + optional_policy(` + devicekit_dbus_chat(common_userdomain) + devicekit_dbus_chat_power(common_userdomain) + devicekit_dbus_chat_disk(common_userdomain) + ') + + optional_policy(` + evolution_dbus_chat(common_userdomain) + evolution_alarm_dbus_chat(common_userdomain) + ') + + optional_policy(` + gnome_dbus_chat_gconfdefault(common_userdomain) + ') + + optional_policy(` + hal_dbus_chat(common_userdomain) + ') + + optional_policy(` + kde_dbus_chat_backlighthelper(common_userdomain) + ') + + optional_policy(` + modemmanager_dbus_chat(common_userdomain) + ') + + optional_policy(` + networkmanager_dbus_chat(common_userdomain) + networkmanager_read_lib_files(common_userdomain) + ') + + optional_policy(` + vpn_dbus_chat(common_userdomain) + ') +') + +optional_policy(` + inetd_use_fds(common_userdomain) + inetd_rw_tcp_sockets(common_userdomain) +') + +optional_policy(` + inn_read_config(common_userdomain) + inn_read_news_lib(common_userdomain) + inn_read_news_spool(common_userdomain) +') + +optional_policy(` + lircd_stream_connect(common_userdomain) +') + +optional_policy(` + locate_read_lib_files(common_userdomain) +') + +# for running depmod as part of the kernel packaging process +optional_policy(` + modutils_read_module_config(common_userdomain) +') + +optional_policy(` + mta_rw_spool(common_userdomain) + mta_manage_queue(common_userdomain) + mta_filetrans_home_content(common_userdomain) +') + +optional_policy(` + tunable_policy(`allow_user_mysql_connect',` + mysql_stream_connect(common_userdomain) + ') +') + +optional_policy(` + oident_manage_user_content(common_userdomain) + oident_relabel_user_content(common_userdomain) +') + +optional_policy(` + # to allow monitoring of pcmcia status + pcmcia_read_pid(common_userdomain) +') + +optional_policy(` + pcscd_read_pub_files(common_userdomain) + pcscd_stream_connect(common_userdomain) +') + +optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect(common_userdomain) + postgresql_tcp_connect(common_userdomain) + ') +') + +optional_policy(` + resmgr_stream_connect(common_userdomain) +') + +optional_policy(` + rpc_dontaudit_getattr_exports(common_userdomain) + rpc_manage_nfs_rw_content(common_userdomain) +') + +optional_policy(` + rpcbind_stream_connect(common_userdomain) +') + +optional_policy(` + samba_stream_connect_winbind(common_userdomain) +') + +optional_policy(` + slrnpull_search_spool(common_userdomain) +') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index b1e60db..67b58eb 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -346,9 +346,13 @@ optional_policy(` lpd_run_checkpc(unconfined_t, unconfined_r) ') -#optional_policy(` -# mock_role(unconfined_r, unconfined_t) -#') +optional_policy(` + mock_role(unconfined_r, unconfined_t) +') + +optional_policy(` + thumb_role($1_r, $1_usertype) +') optional_policy(` modutils_run_update_mods(unconfined_t, unconfined_r)